Global ETD Search

51	Forensic Methods and Tools for Web Environments January 2017 (has links) abstract: The Web is one of the most exciting and dynamic areas of development in today’s technology. However, with such activity, innovation, and ubiquity have come a set of new challenges for digital forensic examiners, making their jobs even more difficult. For examiners to become as effective with evidence from the Web as they currently are with more traditional evidence, they need (1) methods that guide them to know how to approach this new type of evidence and (2) tools that accommodate web environments’ unique characteristics. In this dissertation, I present my research to alleviate the difficulties forensic examiners currently face with respect to evidence originating from web environments. First, I introduce a framework for web environment forensics, which elaborates on and addresses the key challenges examiners face and outlines a method for how to approach web-based evidence. Next, I describe my work to identify extensions installed on encrypted web thin clients using only a sound understanding of these systems’ inner workings and the metadata of the encrypted files. Finally, I discuss my approach to reconstructing the timeline of events on encrypted web thin clients by using service provider APIs as a proxy for directly analyzing the device. In each of these research areas, I also introduce structured formats that I customized to accommodate the unique features of the evidence sources while also facilitating tool interoperability and information sharing. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2017 Computer science Chrome OS digital forensics forensic framework forensic tools web environments web thin client
52	Construction, enrichment and semantic analysis of timelines : application to digital forensics / Construction, enrichissement et analyse sémantique de chronologies : application au domaine de la criminalistique informatique Chabot, Yoan 30 November 2015 (has links) Obtenir une vision précise des évènements survenus durant un incident est un objectif difficile à atteindre lors d'enquêtes de criminalistique informatique. Le problème de la reconstruction d'évènements, ayant pour objectif la construction et la compréhension d'une chronologie décrivant un incident, est l'une des étapes les plus importantes du processus d'investigation. La caractérisation et la compréhension complète d'un incident nécessite d'une part d'associer à chaque fragment d'information sa signification passée, puis d'établir des liens sémantiques entre ces fragments. Ces tâches nécessitent l'exploration de grands volumes de données hétérogènes trouvés dans la scène de crime. Face à ces masses d'informations, les enquêteurs rencontrent des problèmes de surcharge cognitive les amenant à commettre des erreurs ou à omettre des informations pouvant avoir une forte valeur ajoutée pour les progrès de l'enquête. De plus, tout résultat produit au terme de la reconstruction d'évènements doit respecter un certain nombre de critères afin de pouvoir être utilisé lors du procès. Les enquêteurs doivent notamment être en capacité d'expliquer les résultats produits. Afin d'aider les enquêteurs face à ces problèmes, cette thèse introduit l'approche SADFC. L'objectif principal de cette approche est de fournir aux enquêteurs des outils les aidant à restituer la sémantique des entités composant la scène de crime et à comprendre les relations liant ces entités tout en respectant les contraintes juridiques. Pour atteindre cet objectif, SADFC est composé de deux éléments. Tout d'abord, SADFC s'appuie sur des fondations théoriques garantissant la crédibilité des résultats produits par les outils via une définition formelle et rigoureuse des processus utilisés. Cette approche propose ensuite une architecture centrée sur une ontologie pour modéliser les connaissances inhérentes à la scène de crime et assister l'enquêteur dans l'analyse de ces connaissances. La pertinence et l'efficacité de ces outils sont démontrées au travers d'une étude relatant un cas d'investigation fictive. / Having a clear view of events that occurred over time is a difficult objective to achieve in digital investigations (DI). Event reconstruction, which allows investigators to build and to understand the timeline of an incident, is one of the most important steps of a DI process. The complete understanding of an incident and its circumstances requires on the one hand to associate each piece of information to its meaning, and on the other hand to identify semantic relationships between these fragments. This complex task requires the exploration of a large and heterogeneous amount of information found on the crime scene. Therefore, investigators encounter cognitive overload problems when processing this data, causing them to make mistakes or omit information that could have a high added value for the progress of the investigation. In addition, any result produced by the reconstruction process must meet several legal requirements to be admissible at trial, including the ability to explain how the results were produced. To help the investigators to deal with these problems, this thesis introduces a semantic-based approach called SADFC. The main objective of this approach is to provide investigators with tools to help them find the meaning of the entities composing the crime scene and understand the relationships linking these entities, while respecting the legal requirements. To achieve this goal, SADFC is composed of two elements. First, SADFC is based on theoretical foundations, ensuring the credibility of the results produced by the tools via a formal and rigorous definition of the processes used. This approach then proposes an architecture centered on an ontology to model and structure the knowledge inherent to an incident and to assist the investigator in the analysis of this knowledge. The relevance and the effectiveness of this architecture are demonstrated through a case study describing a fictitious investigation. Criminalistique informatique Reconstruction d'évènements Ontologie Analyse de chronologies Digital forensics Event reconstruction Forensic ontology Timeline analysis 006
53	Den IT-forensiska utvinningen i molnet : En kartläggning över den IT-forensiska utvinningen i samband med molntjänster samt vilka möjligheter och svårigheter den möter Blid, Emma, Massler, Patrick January 2017 (has links) Det blir allt vanligare att spara data online, i stället för på fysiska lagringsmedium. Detta bringar många möjligheter för dig som användare, men orsakar också nya problem framför allt inom utredningsarbetet. Problemen i kombinationen IT-forensik och molntjänster kan framför allt delas upp i två kategorier, vilka är juridiska respektive tekniska problem. De juridiska problemen berör främst att servern som lagrar data och ägaren till denna ofta befinner sig i en annan nation än där det misstänkta brottet utreds. De flesta juridiska problem kan tyckas enkla att lösa genom lagändringar, men är mer omfattande än så då både de konsekvenser det kan ha för molnleverantörerna, liksom de fördelar det kan ha för rättsväsendet, måste tas hänsyn till och noga övervägas. De tekniska problemen finns det ofta redan lösningar på. Många av dessa kan dock inte anses vara reella då krävd storlek på lagringsytan, och kostnaderna därtill, inte är i proportion av vad som skulle kunna uppnås. De flesta tekniska lösningar ger även nya problem i form av etiska dilemman då de kräver utökad lagring av personlig information. Att spara information och eventuellt behöva utreda information kopplat till en person som inte är misstänkt gör intrång på den personliga integriteten. Molnet har dock också möjligheter där den främsta för IT-forensiken är vad som kallas Digital Forensics as a Service. Detta innebär att molnets resurser nyttjas för att lösa resurstunga problem som hade varit betydligt mer tidskrävande att genomföra lokalt, likaså att möjligheterna för samarbeten och specialkompetens ökar, i syfte att underlätta och effektivera det IT-forensiska arbetet. / It is becoming more common to save data online, rather than on physical storage media. This brings many opportunities for you as a user, but also causes new problems, especially within the crime investigations. The problems in the combination of digital forensics and cloud services can be divided into two main categories, which are legal issues and technical issues. The legal issues primarily concern that the server that stores data and the owner of the server is typically based in a different nation than where the suspected crime is investigated. Most legal issues may seem easy to solve through law changes, but are more extensive than that, as both the consequences it may have for the cloud suppliers, as well as the benefits it may have for the justice system, must be taken into consideration. The technical issues often have solutions. However, many of these cannot be considered as realistic since the size of the required storage space, and the costs caused by it, are not proportional to what could be achieved. Most technical solutions also give rise to new issues in the form of ethical dilemmas as they require enhanced storage of personal information. To save more information and to possibly need to investigate information associated with a person who is not suspected of committing the crime intrudes the personal integrity. The cloud, however, also brings opportunities where the foremost for digital forensics is what is called Digital Forensics as a Service. This means that the cloud’s resources are utilised to solve resource related problems that had been significantly more time consuming to implement locally, as well as the opportunities for cooperation and expertise increase, in order to facilitate and enhance IT-forensic work. IT-forensik digital forensics molnmiljö cloud environment Computer and Information Science Data- och informationsvetenskap
54	Finding digital forensic evidence when graphic design applications are used for document counterfeiting Mabuto, Enos Kudakwashe January 2013 (has links) Graphic design applications are often used for the editing and design of digital art. The same applications can be used for creating counterfeit documents such as identity documents (IDs), driver’s licenses or passports, among others. The products of graphic design applications, however, leave behind traces of digital information which can be used during a digital forensic investigation. Although current digital forensic tools are designed to scrutinise systems with the purpose of finding digital evidence, the tools are not designed to examine such systems specifically for the purpose of identifying counterfeit documents. This dissertation reviews the digital evidence relating to the creation of counterfeit documents and gathered from graphic design applications. Digital evidence gathered in this way consists mainly of identifying and corroborating the counterfeiting events that occurred on a particular system. Firstly, such an analysis is accomplished by establishing linkages between the digital forensic information that has been gathered and the specific actions that were performed when the counterfeit documents were created. Such actions comprise scanning, editing, saving, and printing. The researcher is able to compile a dossier of the digital forensic information that is generated by such actions by analysing the files that were generated by making use of a particular graphic design application for document creation. Secondly, the researcher extends the analysis to the actual files created by the application user. These files can be used as evidence to establish linkages between the content of the counterfeit documents that are being investigated and the document editing actions that are necessary for creating such documents. The researcher gathers digital forensic information of this kind by analysing the different file types that are associated with these applications. The researcher then gathers the associated timeline evidence separately by means of a third analysis that identifies timestamps from the application’s system files and evidence files. The researcher is then able to draw a timeline from the timestamps to illustrate the sequence of events that occurred. From the digital evidence gathered in this way it is possible to propose a two-pronged counterfeiting investigation process. This proposed investigation process is application and platform independent. The researcher concludes the study by transforming the model into a working prototype by demonstrating how the prototype is capable of analysing and extracting digital forensic information from certain graphic design application file types and log files. Such a prototype is capable of identifying the system that was utilised for counterfeiting particular documents or identifying whether a specific document is counterfeited or not. / Dissertation (MSc)--University of Pretoria, 2013. / gm2014 / Computer Science / unrestricted Counterfeit documents Digital evidence Digital forensics Digital forensic artifacts Graphic design applications UCTD
55	Unsupervised discovery of relations for analysis of textual data in digital forensics Louis, Anita Lily 23 August 2010 (has links) This dissertation addresses the problem of analysing digital data in digital forensics. It will be shown that text mining methods can be adapted and applied to digital forensics to aid analysts to more quickly, efficiently and accurately analyse data to reveal truly useful information. Investigators who wish to utilise digital evidence must examine and organise the data to piece together events and facts of a crime. The difficulty with finding relevant information quickly using the current tools and methods is that these tools rely very heavily on background knowledge for query terms and do not fully utilise the content of the data. A novel framework in which to perform evidence discovery is proposed in order to reduce the quantity of data to be analysed, aid the analysts' exploration of the data and enhance the intelligibility of the presentation of the data. The framework combines information extraction techniques with visual exploration techniques to provide a novel approach to performing evidence discovery, in the form of an evidence discovery system. By utilising unrestricted, unsupervised information extraction techniques, the investigator does not require input queries or keywords for searching, thus enabling the investigator to analyse portions of the data that may not have been identified by keyword searches. The evidence discovery system produces text graphs of the most important concepts and associations extracted from the full text to establish ties between the concepts and provide an overview and general representation of the text. Through an interactive visual interface the investigator can explore the data to identify suspects, events and the relations between suspects. Two models are proposed for performing the relation extraction process of the evidence discovery framework. The first model takes a statistical approach to discovering relations based on co-occurrences of complex concepts. The second model utilises a linguistic approach using named entity extraction and information extraction patterns. A preliminary study was performed to assess the usefulness of a text mining approach to digital forensics as against the traditional information retrieval approach. It was concluded that the novel approach to text analysis for evidence discovery presented in this dissertation is a viable and promising approach. The preliminary experiment showed that the results obtained from the evidence discovery system, using either of the relation extraction models, are sensible and useful. The approach advocated in this dissertation can therefore be successfully applied to the analysis of textual data for digital forensics Copyright / Dissertation (MSc)--University of Pretoria, 2010. / Computer Science / unrestricted Text analysis Text mining Information extraction Relation discovery Digital forensics UCTD
56	Considerations towards the development of a forensic evidence management system Arthur, Kweku Kwakye 23 July 2010 (has links) The decentralized nature of the Internet forms its very foundation, yet it is this very nature that has opened networks and individual machines to a host of threats and attacks from malicious agents. Consequently, forensic specialists - tasked with the investigation of crimes commissioned through the use of computer systems, where evidence is digital in nature - are often unable to adequately reach convincing conclusions pertaining to their investigations. Some of the challenges within reliable forensic investigations include the lack of a global view of the investigation landscape and the complexity and obfuscated nature of the digital world. A perpetual challenge within the evidence analysis process is the reliability and integrity associated with digital evidence, particularly from disparate sources. Given the ease with which digital evidence (such as metadata) can be created, altered, or destroyed, the integrity attributed to digital evidence is of paramount importance. This dissertation focuses on the challenges relating to the integrity of digital evidence within reliable forensic investigations. These challenges are addressed through the proposal of a model for the construction of a Forensic Evidence Management System (FEMS) to preserve the integrity of digital evidence within forensic investigations. The Biba Integrity Model is utilized to maintain the integrity of digital evidence within the FEMS. Casey's Certainty Scale is then employed as the integrity classifcation scheme for assigning integrity labels to digital evidence within the system. The FEMS model consists of a client layer, a logic layer and a data layer, with eight system components distributed amongst these layers. In addition to describing the FEMS system components, a fnite state automata is utilized to describe the system component interactions. In so doing, we reason about the FEMS's behaviour and demonstrate how rules within the FEMS can be developed to recognize and pro le various cyber crimes. Furthermore, we design fundamental algorithms for processing of information by the FEMS's core system components; this provides further insight into the system component interdependencies and the input and output parameters for the system transitions and decision-points infuencing the value of inferences derived within the FEMS. Lastly, the completeness of the FEMS is assessed by comparing the constructs and operation of the FEMS against the published work of Brian D Carrier. This approach provides a mechanism for critically analyzing the FEMS model, to identify similarities or impactful considerations within the solution approach, and more importantly, to identify shortcomings within the model. Ultimately, the greatest value in the FEMS is in its ability to serve as a decision support or enhancement system for digital forensic investigators. Copyright / Dissertation (MSc)--University of Pretoria, 2010. / Computer Science / unrestricted Investigations Finite state automata Forensic evidence management system Computer forensics Digital forensics UCTD
57	An exploratory forensic analysis of the Xbox One S All Digital Lidström, Robbin, Elfving, Elfving January 2020 (has links) Gaming consoles’ relevance to the field of digital forensics has steadily been growing sincetheir presence in society has increased. Given how gaming platforms, such as the Xbox One,are produced for commercial interest, they are likely to be secured by use of proprietaryknowledge to safeguard personal data. The means by which information is secured isunknown, thus displaying the need for investigations to determine what information can beextracted from hard drive disk images and whether any of it is personally identifiable data.Furthermore, predecessors to the Xbox One were successfully modified by users, allowingunsigned code to be run; however, this is currently not possible on the Xbox One. In addition,due to the generational aspect of game consoles, proper digital forensic methodology needs tobe developed specifically adapted to the Xbox One. An exploratory approach was pursued toallow for the scope to remain dynamic, letting information found to point to additionalavenues of investigation and research. No personally identifiable information was found, yetthe analysis of selected files allowed for hypotheses concerning their intended purpose.Through file analysis, encryption was found to be in use on the console. Moreover, theMaster File Table was demonstrated as a significant extension to the foundation of consoleforensics methodology. Lastly, it was established that the Xbox One successfully prevents therunning of unsigned code, showing a significant improvement compared to its predecessors. Xbox One console digital forensics exploratory Övrig annan teknik
58	Integrated digital forensic process model Kohn, Michael Donovan 10 June 2013 (has links) The Information and Communications Technology (ICT) environment constitutes an integral part of our daily lives. Individual computer users and large corporate companies are increasingly dependent on services provided by ICT. These services range from basic communication to managing large databases with corporate client information. Within these ICT environments something is bound to go wrong for a number of reasons, which include an intentional attack on information services provided by an organisation. These organisations have in turn become interested in tracing the root cause of such an incident with the intent of successfully prosecuting a suspected malicious user. Digital forensics has developed signi cantly towards prosecuting such criminals. The volumes of information and rapid technological developments have contributed to making simple investigations rather cumbersome. In the digital forensics community a number of digital forensic process models have been proposed encapsulating a complete methodology for an investigation. Software developers have also greatly contributed toward the development of digital forensics tools. These developments have resulted in divergent views on digital forensic investigations. This dissertation presents the IDFPM - Integrated Digital Forensic Process Model. The model is presented after examining digital forensic process models within the current academic and law enforcement literature. An adapted sequential logic notation is used to represent the forensic models. The terminology used in the various models is examined and standardised to suit the IDFPM. Finally, a prototype supports a limited selection of the IDFPM processes, which will aid a digital forensic investigator. / Dissertation (MSc)--University of Pretoria, 2012. / Computer Science / unrestricted Digital forensics Digital evidence Digital forensic framework. Digital forensic process models UCTD
59	Analyse forensique de la mémoire des cartes à puce / Memory carving of smart cards memories Gougeon, Thomas 04 October 2017 (has links) Dans notre monde toujours plus connecté, les cartes à puce sont impliquées quotidiennementdans nos activités, que ce soit pour le paiement, le transport, le contrôle d’accès ou encore la santé.Ces cartes contiennent des informations personnelles liées aux faits et gestes de leur possesseur.Le besoin d’interpréter les données contenues dans les mémoires de ces cartes n’a jamais été aussiimportant. Cependant, sans les spécifications de l’application, il est difficile de connaître quellesinformations sont stockées dans la carte, leur emplacement précis, ou encore l’encodage utilisé.L’objectif de cette thèse est de proposer une méthode qui retrouve les informations stockéesdans les mémoires non volatile des cartes à puce. Ces informations peuvent être des dates (e.g.,date de naissance, date d’un événement) ou des informations textuelles (e.g., nom, adresse). Pourretrouver ces informations, un décodage exhaustif des données à l’aide de différentes fonctions dedécodage est possible. Malheureusement, cette technique génère de nombreux faux positifs. Unfaux positif apparaı̂t lorsqu’une fonction de décodage est appliquée sur des données qui ont étéencodées avec une fonction différente. Cette thèse s’appuie alors sur trois contributions exploitantles spécificités des cartes à puce pour éliminer ces faux positifs. La première contribution identifie lesobjets cryptographiques dans les mémoires non volatiles des cartes à puce afin de ne pas effectuer ledécodage sur ces données. Les deux autres contributions retrouvent respectivement des informationstextuelles et des dates dans ces mémoires. Afin de valider ces méthodes, elles sont chacune appliquéessur 371 mémoires de cartes à puce de la vie réelle. / In our increasingly connected world, smart cards are involved in any everyday activity, and theygather and record plenty of personal data. The need to interpret the raw data of smart card memoryhas never been stronger. However, without the knowledge of the specifications, it is difficult toretrieve what are the information stored, their location, and the encoding used to store them.The objective of this thesis is to propose a method retrieving the stored information in thenon-volatile memory of smart cards. This information include dates (e.g., birth date or event date)and textual information (e.g., name, address). In order to retrieve these information, it is possibleto perform an exhaustive decoding of the data with several decoding functions. Unfortunately,this technique generates a lot of false positives. Indeed, a false positive occurs when a decodingfunction is applied to data that have been encoded with another function. This thesis proposesthree contributions exploiting smart cards specificities to eliminate the false positives. The firstcontribution identifies cryptographic material in these non-volatile memories in order to preventthe false positives generated by the decoding of these cryptographic objects. The two otherscontributions retrieve respectively textual information and dates in these memories. In order tovalidate these methods, they are applied on 371 memory dumps of real-life smart cards. Forensique informatique Cartes à puce Vie privée Digital forensics Smart cards Privacy
60	Digital forensic readiness for IOT devices Kruger, Jaco-Louis January 2019 (has links) The Internet of Things (IoT) has evolved to be an important part of modern society. IoT devices can be found in several environments such as smart homes, transportation, the health sector, smart cities and even facilitates automation in organisations. The increasing dependence on IoT devices increases the possibility of security incidents in the physical or cyber environment. Traditional methods of digital forensic (DF) investigations are not always applicable to IoT devices due to their limited data processing resources. A possible solution for conducting forensic investigations on IoT devices is to utilise a proactive approach known as digital forensic readiness (DFR). This dissertation firstly aims to conduct a thorough review of the available literature in the current body of knowledge to identify a clear process that can be followed to implement DFR tailored for IoT devices. This dissertation then formulates requirements for DFR in IoT based on existing forensic techniques. The requirements for DFR in IoT give rise to the development of a model for DFR in IoT, which is then implemented in a prototype for IoT devices. The prototype is subsequently tested and evaluated on IoT devices that conduct proactive DFR in a simulation of a smart home system. Finally, the dissertation illustrates the feasibility of the DFR processes for IoT and serves as a basis for future research with regards to DFR in IoT. This dissertation will impact future research with regards to developing a standard for DFR in IoT. / Dissertation (MSc)--University of Pretoria, 2019. / Computer Science / MSc / Unrestricted UCTD Computer science Digital forensic readiness Internet of things (IoT) Digital forensics

Search results